bf0604787c8a8fca9380819903dcd1190930ae895cbc8c9c7ad9901af43ed59c

Analysis

max time kernel
151s
max time network
72s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
20/10/2022, 07:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf0604787c8a8fca9380819903dcd1190930ae895cbc8c9c7ad9901af43ed59c.exe
Size

625KB
MD5

813a014ec0041c5474e65f9f4016e8b0
SHA1

650590b2cb664776910fb1d57f8ae343096ed276
SHA256

bf0604787c8a8fca9380819903dcd1190930ae895cbc8c9c7ad9901af43ed59c
SHA512

4cde9965c0d6e2cf0df79886fd27a9d59f0757c7814aa976226e7b75f46ae0ce023fb9e3bf253c3c305320e418958630d065fa170223b876328ee54b42021a9c
SSDEEP

12288:OHjcoe9PH96vB/fAuBcm9TyOE/xG3muGx44MG4Yx:ODgINfAuBcgcZG2uG24MG4Y

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1312	bapuzp.exe
1684	~DFA52.tmp
360	icneep.exe

Deletes itself 1 IoCs

pid	Process
552	cmd.exe

Loads dropped DLL 3 IoCs

pid	Process
620	bf0604787c8a8fca9380819903dcd1190930ae895cbc8c9c7ad9901af43ed59c.exe
1312	bapuzp.exe
1684	~DFA52.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
360	icneep.exe
360	icneep.exe
360	icneep.exe
360	icneep.exe
360	icneep.exe
360	icneep.exe
360	icneep.exe
360	icneep.exe
360	icneep.exe
360	icneep.exe
360	icneep.exe
360	icneep.exe
360	icneep.exe
360	icneep.exe
360	icneep.exe
360	icneep.exe
360	icneep.exe
360	icneep.exe
360	icneep.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1684	~DFA52.tmp

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 1312	620	bf0604787c8a8fca9380819903dcd1190930ae895cbc8c9c7ad9901af43ed59c.exe	27
PID 620 wrote to memory of 1312	620	bf0604787c8a8fca9380819903dcd1190930ae895cbc8c9c7ad9901af43ed59c.exe	27
PID 620 wrote to memory of 1312	620	bf0604787c8a8fca9380819903dcd1190930ae895cbc8c9c7ad9901af43ed59c.exe	27
PID 620 wrote to memory of 1312	620	bf0604787c8a8fca9380819903dcd1190930ae895cbc8c9c7ad9901af43ed59c.exe	27
PID 620 wrote to memory of 552	620	bf0604787c8a8fca9380819903dcd1190930ae895cbc8c9c7ad9901af43ed59c.exe	29
PID 620 wrote to memory of 552	620	bf0604787c8a8fca9380819903dcd1190930ae895cbc8c9c7ad9901af43ed59c.exe	29
PID 620 wrote to memory of 552	620	bf0604787c8a8fca9380819903dcd1190930ae895cbc8c9c7ad9901af43ed59c.exe	29
PID 620 wrote to memory of 552	620	bf0604787c8a8fca9380819903dcd1190930ae895cbc8c9c7ad9901af43ed59c.exe	29
PID 1312 wrote to memory of 1684	1312	bapuzp.exe	28
PID 1312 wrote to memory of 1684	1312	bapuzp.exe	28
PID 1312 wrote to memory of 1684	1312	bapuzp.exe	28
PID 1312 wrote to memory of 1684	1312	bapuzp.exe	28
PID 1684 wrote to memory of 360	1684	~DFA52.tmp	31
PID 1684 wrote to memory of 360	1684	~DFA52.tmp	31
PID 1684 wrote to memory of 360	1684	~DFA52.tmp	31
PID 1684 wrote to memory of 360	1684	~DFA52.tmp	31

C:\Users\Admin\AppData\Local\Temp\bf0604787c8a8fca9380819903dcd1190930ae895cbc8c9c7ad9901af43ed59c.exe
"C:\Users\Admin\AppData\Local\Temp\bf0604787c8a8fca9380819903dcd1190930ae895cbc8c9c7ad9901af43ed59c.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:620
- C:\Users\Admin\AppData\Local\Temp\bapuzp.exe
  C:\Users\Admin\AppData\Local\Temp\bapuzp.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1312
- - C:\Users\Admin\AppData\Local\Temp\~DFA52.tmp
    C:\Users\Admin\AppData\Local\Temp\~DFA52.tmp OK
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1684
  - - C:\Users\Admin\AppData\Local\Temp\icneep.exe
      "C:\Users\Admin\AppData\Local\Temp\icneep.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:360
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\_uninsep.bat" "
  2⤵
  - Deletes itself
  PID:552

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uninsep.bat

Filesize
341B

MD5
0ab879116d2f832638e2279a84b4d158

SHA1
eeb6689135b759308a7c8b18c9d7128689333faf

SHA256
9d77723737fff556ad558ee832086b511505e2ac9ed526cc3665b3441f4e1a22

SHA512
27217f1ab2e62d7ffd4504057c3ead44dced4297e23df7f2b8b8950842b861c3aac2eb7f5e5bc440548c01fdf30cb59d5c3b2124715feab285e29e0f0e995b2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bapuzp.exe

Filesize
627KB

MD5
8cb2c2f058c02fbe1ef4cbd731c58986

SHA1
0e5dc8b6b3a1c9dfc68c4fc1256293c5b729c5e6

SHA256
29001ac48db0ad6ec53ce81341347e71e76fae8e015bd0878dbbc03df9c0598b

SHA512
f7ed54d7c23ae26b84b004b055cc94eb1edcbfcb0329dc28941a39d866ead911d3ccfc1935a0ca46532819c09197d3a59222c3f89037d2847d7bfa478f1efea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\bapuzp.exe

Filesize
627KB

MD5
8cb2c2f058c02fbe1ef4cbd731c58986

SHA1
0e5dc8b6b3a1c9dfc68c4fc1256293c5b729c5e6

SHA256
29001ac48db0ad6ec53ce81341347e71e76fae8e015bd0878dbbc03df9c0598b

SHA512
f7ed54d7c23ae26b84b004b055cc94eb1edcbfcb0329dc28941a39d866ead911d3ccfc1935a0ca46532819c09197d3a59222c3f89037d2847d7bfa478f1efea0

Download Submit
C:\Users\Admin\AppData\Local\Temp\gbp.ini

Filesize
104B

MD5
86bb2dbeaef655893262f3c041f6afe2

SHA1
1b26ff1241c1353bd506c18bd0c11878076ba65d

SHA256
4a57643d2c59d1235bc0926f845583f39345839e3e9428ad619eb4b6baf96ad2

SHA512
58294cfaa5882a4c5625c03fe6f9e4882912b31f7169241f95626745d66c0a746083a9044365943d66ae7a420113d28c0ddd642c4ed697c683deb63796a13d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
480B

MD5
be8eacf4aa2d8806c14367732af696bd

SHA1
d619c3875453a3be827b4bb3843ec09266213320

SHA256
6b913c346cc0c3527aab478cac4b3ba3d4c935a1d52f305ddf7667d16413a7c5

SHA512
5dad7651c199d43ffcc435d58f5cd5920192fbedaa3026236ff0bac7a56f9e0c427a3a5345c28c66bce2f1abe5b2950ae23f184d918f740e1babb6c63f02d82e

Download Submit
C:\Users\Admin\AppData\Local\Temp\icneep.exe

Filesize
408KB

MD5
fbd3403d4e824170c16169b37d0c9563

SHA1
74da123e5e4282b721db84971d3b9939ac4562a8

SHA256
e9b145ba9e79371c5f69e0fe13b4db97e7129abeb4b8d931a17de2c6acafddba

SHA512
1eb23d093e4a0ee446b10c2d4770451e634930185226914e918d1e56df01fce00cd0af2e8e425629ce741574737efebafabc046b052a0fd7dce0cb0fc247a861

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DFA52.tmp

Filesize
629KB

MD5
92b2f86a018a94520d600638fbd5f480

SHA1
454460eb276b824ca5f7726e1128a8dcc023f9f1

SHA256
d394e57aa827fbaa81aecefb2694fd68099d619370aae6a605b9f52c4eb08dde

SHA512
34a342c5ebabe1d8b32c47002564beb21d77012287d20e329aff365ca0fb33a5f6432472fc0ace1949c1c45a541e10c179faacf116be6a7f9d1624d708d682cc

Download Submit
\Users\Admin\AppData\Local\Temp\bapuzp.exe

Filesize
627KB

MD5
8cb2c2f058c02fbe1ef4cbd731c58986

SHA1
0e5dc8b6b3a1c9dfc68c4fc1256293c5b729c5e6

SHA256
29001ac48db0ad6ec53ce81341347e71e76fae8e015bd0878dbbc03df9c0598b

SHA512
f7ed54d7c23ae26b84b004b055cc94eb1edcbfcb0329dc28941a39d866ead911d3ccfc1935a0ca46532819c09197d3a59222c3f89037d2847d7bfa478f1efea0

Download Submit
\Users\Admin\AppData\Local\Temp\icneep.exe

Filesize
408KB

MD5
fbd3403d4e824170c16169b37d0c9563

SHA1
74da123e5e4282b721db84971d3b9939ac4562a8

SHA256
e9b145ba9e79371c5f69e0fe13b4db97e7129abeb4b8d931a17de2c6acafddba

SHA512
1eb23d093e4a0ee446b10c2d4770451e634930185226914e918d1e56df01fce00cd0af2e8e425629ce741574737efebafabc046b052a0fd7dce0cb0fc247a861

Download Submit
\Users\Admin\AppData\Local\Temp\~DFA52.tmp

Filesize
629KB

MD5
92b2f86a018a94520d600638fbd5f480

SHA1
454460eb276b824ca5f7726e1128a8dcc023f9f1

SHA256
d394e57aa827fbaa81aecefb2694fd68099d619370aae6a605b9f52c4eb08dde

SHA512
34a342c5ebabe1d8b32c47002564beb21d77012287d20e329aff365ca0fb33a5f6432472fc0ace1949c1c45a541e10c179faacf116be6a7f9d1624d708d682cc

Download Submit
memory/360-80-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/620-66-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/620-54-0x0000000075711000-0x0000000075713000-memory.dmp

Filesize
8KB

Download
memory/620-68-0x0000000001E30000-0x0000000001F0E000-memory.dmp

Filesize
888KB

Download
memory/620-55-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1312-70-0x0000000002C00000-0x0000000002CDE000-memory.dmp

Filesize
888KB

Download
memory/1312-69-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1312-73-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1684-71-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1684-74-0x0000000000400000-0x00000000004DE000-memory.dmp

Filesize
888KB

Download
memory/1684-79-0x0000000003810000-0x000000000394E000-memory.dmp

Filesize
1.2MB

Download